10-15-2012 02:35 PM
I'm trying to understand what a dual-nat policy rule action does. The documentation implies that it performs a combination src-nat and dest-nat. So I would expect the dual-nat to require the following settings:
- NAT Pool (needed for src-nat)
- Destination IP or Name (needed for dst-nat)
- Destination Port (needed for dst-nat)
But dual-nat only seems to require a NAT pool and a port. So what exactly does dual-nat do?
Solved! Go to Solution.
10-16-2012 04:54 AM
You need to define the NAT pool with both the src-nat and dst-ip first. They are both contained in the same pool, that is why you only see the choice for one in the ACL creation.
The following is an example how I've used dual-nat in the pat.
- Guest Network
- Customer has Citrix and Mail servers that it wants to allow access to on the Guest network (employees use the Guest network with personal devices)
- External DNS servers are used on the Guest network, so when the user's attempt to resolve the hosts above, they get the external IP address
- A combination of network firewall and routing of this enviroment would not allow this traffic out and back in through the external IP, we need to redirect the requests to the internal IP
- We setup a dual-nat rule to handle this. The src-nat portion was used for NAT'ing the guest traffic to a particular IP (using a pool). The dst-nat portion was setup to redirect requests to the external IP to the internal IP.
ip NAT pool portal-dual <beg.src.nat.ip> <end.src.nat.ip> <dst.nat.ip.address>
any host x.x.x.x svc-https dual-nat pool portal-dual 443
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
11-09-2012 05:10 AM
Clembo, great post. We had this exact same scenario in our environment and I was able to deliver Citrix to our guest wifi network using this solution. I do have one question. Is a dual-nat really necessary in this scenario? I first tried just dst-nat'ing the traffic destined for the public IP of our citrix gateway to the DMZ address, but that did not work.. Once I read your post and configured dual-nat I was able to get this to function as expected. Why was the src-nat half of dual-nat necessary in this case?
An example where I only had to dst-nat was in the case of our captive portal for unregistered guests which accomplished the redirect that we needed.
Thanks in advance